General
-
Target
angelx.exe
-
Size
968KB
-
Sample
201124-pm8k8n3fsj
-
MD5
f9ccd51ac26ac9729efb1386644e09bb
-
SHA1
c90cb01be628c0c00e70629ef1d0916d2aa1c2aa
-
SHA256
e876e9815b602f4e6c022d682c62cf45a6c750ea1a3b10665b792b9ccf705cc4
-
SHA512
5d072857e1976e34b99d06cfae94637a9a8f2e0df68be0b8ab8a8dcfe8af735c9f988a9f6e563aa26004163de1f3c3c03b4bfecfb17cd47b957820210ebeedc9
Malware Config
Extracted
warzonerat
79.134.225.48:3214
Targets
-
-
Target
angelx.exe
-
Size
968KB
-
MD5
f9ccd51ac26ac9729efb1386644e09bb
-
SHA1
c90cb01be628c0c00e70629ef1d0916d2aa1c2aa
-
SHA256
e876e9815b602f4e6c022d682c62cf45a6c750ea1a3b10665b792b9ccf705cc4
-
SHA512
5d072857e1976e34b99d06cfae94637a9a8f2e0df68be0b8ab8a8dcfe8af735c9f988a9f6e563aa26004163de1f3c3c03b4bfecfb17cd47b957820210ebeedc9
Score10/10-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Looks for VirtualBox Guest Additions in registry
-
Warzone RAT Payload
-
Executes dropped EXE
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file
-
Loads dropped DLL
-
Adds Run key to start application
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-